all right. Our next module will talk a little bit about physical security, and you can't take for granted the physical security of your building off your facility of your work space. Physical security has several different important elements to it. We have to think about protecting
the lives of our co workers, and I know that sounds very dramatic, but there's a lot of crime out there. There's a lot of violent crimes.
Course we have to protect. Our company resource is as well. Our first priority with physical security is always gonna be human life. Why are we vulnerable? I think I talked about this a little bit in the last chapter. Often, things are designed to be unsecure,
and that's also true when we talk about facility design as well.
Think about some of the parking garage is you've been in, for instance, are they designed to be compact and cheap and easy or they designed to be secure? So we'll talk about that physical design of building failure to follow policy with physical security. Honestly,
I see failure to follow physical security policy
every day of my life in some form or fashion, and then we'll talk about some best practices, all right, so physical security covers a wide range of topics. You know our security guards if we have guard dogs, locks on windows, locks on doors,
table locks and cable traps for our devices.
You know, we could just go on and on and on gates and bollards, bollards or those often concrete post to keep people from driving through a building. If you have not seen a bollard come toe Washington D. C. It's like the city's flag. All of a sudden, the bollards are everywhere Ever since 9 11
But the bollard keep drive through, you know, driving through buildings or driving into buildings,
Fire safety and prevention, making good decisions in relation to fire safety. I work in a lot of office spaces, and in the winter time, the favorite fire hazard of all is the electric heater conveniently beside the trashcan where all the paper goes.
And if we just want to kind of think about that thought and follow it through, probably not a good idea.
My motto is, if you think you smell smoke, you do. We better fix that problem very, very quickly. So it was just making some good common sense decisions with physical security, fire safety and any sort of theft prevention devices. And really again, when you focus on physical security, we're looking at protecting our people
in protecting our property.
So why do we care? Of course, the safety of our employees is priority number one. You know, I talked about door locks. As important as it is to lock the proper doors, it's also equally important to have the proper doors unlocked. Evacuation route We had a huge tragedy in North Carolina years back
at a plant in one of the smaller cities, but it was a very large planet, held a lot of employees,
and unfortunately, they had a fire and, uh, their doors, their escape doors were locked and many lives were lost in that event simply because somebody locked the wrong door in the via cue of the evacuation routes that they've been trained to use. We're not available. It's a terrible situation,
so we have to make sure
that that is, You know that that's not an issue. Often, an attacker can use physical security as a way of clearing the building. So for instance, the easiest way for me to clear clear a building is to pull the fire alarm.
Now that I've pulled the fire alarm and everybody's evacuated, I have access to the building. Which is exactly why I say you should never wander off from your computer without locking it. The Windows key and the letter L will walk your system immediately takes 1/4 of a second. It's very quick and very easy. Even in the event of an evacuation,
everybody has time to hit those keys.
We would never go back into a dangerous situation to do that. We would do that before we leave.
Also, we're still liable to protect our company information, our patient information, financial data, even in the event of an emergency. So if we leave and we have this huge vulnerability with the system that's available our organization, sometimes we, as individuals could still be held liable
Physical access Giving the wrong person physical access to the building
can lead the theft of equipment personal property. It could lead to me getting an unauthorized network device like a sniffer on your network, so we really have to look a physical security as as a huge benefit and physical access to be a huge threat onto our network. Why air we vulnerable people?
People are the weakest link.
People use shortcuts. So, for instance, I walked down. I forgot my badge. Let me just prop this door open while I run out to my car because I don't wanna have to run back up and get my badge. So here's the store that's propped open for two and 1/2 minutes while I'm, you know, wandering through the parking lot.
You know, propping doors open, leaving them unlocked, using default settings. Because it's easy to remember you've got a four character combination lock 1111 or the more common 1234 Attackers know this stuff,
you know? So the shortcuts, these things that we do for ease of use those air always gonna person in
a vulnerability. We have to be very security minded.
uh, you know, one of the things that I most commonly see and I've mentioned this earlier piggybacking letting someone else in on your card swipe. It happens all the time, and I have worked in a large number of places, you know, probably The most glaring instance
was I worked at a secure facility.
I had to have an escort everywhere I went in that facility, including to and from the restroom, went through a search coming in. Everything I had was X rayed. It was a secure facility in downtown Arlington. So Day three, something like that.
A couple of things. Day three, I brought in a box of doughnuts. I mean, it said they were box of doughnuts. It had Dunkin Donuts on the box. It was a Dunkin Donut box.
So the security guard says No, you'll have to run that box through the X ray system.
Well, my escort says No, no, just give him to me and I'll walk them in.
Never once looked at what was in the contents of the box. Simply trusted that because I'm a trainer, that I'm honest. I have integrity, and I wouldn't dare bring anything negative into the organization.
Not only should my escort of known better, why did that security guard allow that to happen? You know, here's an untrusted entity. Bringing an unknown element in it doesn't make that any less known. If I hand it off to somebody So the security guard really was very remiss in that, as was my escort.
My escort did not really get a sterling evaluation for me, by the way, because on Day five on Friday afternoon,
we had just done Ah, whole couple of hours lecture on physical security and all of the elements and all the things to watch for, and we spent a good amount of time on piggybacking.
So we go down to the third floor and he asks me to wait by the elevator because he has to get something at his desk. So again, he left me unsupervised, which he was not supposed to do, but I have not Trustworthy face,
um, went to its door, swiped his badge, and a young woman comes out from around the corner
and he lets and he's holding the door for
now. I know he didn't know where
because he said, But you do have a badge, don't you?
As if she couldn't possibly lie if she was trying to gain unauthorized access
asking someone Are you telling the truth is not a security technique,
right? Show me your badge. Let me walk you to your desk just to make sure you have everything you need. I don't want you to be locked out again. You don't have it at your desk. Let's go down to security. Let's go ahead and get you the access that you need. So I was just stunned,
and the guy was mortified to cause he way made that eye contact, and he was ashamed.
I couldn't even look at him after that. I had to look away. Um,
but people do it all the time out of courtesy. Uh, they're called unexpectedly, and they revert back to what's default for them. So I understand. But we gotta stop. We gotta stop letting unauthorized people into our building.
Right? These attacks are riel. Week after week after week. We hear about a compromise. Well, how did that at attacker get on our network?
Yeah, maybe it was through the internet. Maybe it was through an open port on the firewall. Maybe he walked into our building, un escorted and plugged into a port on the wall.
Or maybe he came in with a suit and tie and asked someone to leave their system because he was conducting an internal audit.
Right? That person should have never gotten in the building to start with.
Attackers are smart. They know what makes people tick, and they're constantly changing their venue. And I have a lot of friends and myself included that we participate in social engineering penetration testing. So I'll go to an organization,
and I will go through a series of tests on various employees to see if I can gain access to something I shouldn't,
a uniform, just a garden variety uniform. You know, brown uniform gives the illusion I'm with FedEx. Right blue uniform lets me look like a service technician. Ah, clipboard is a great tool.
Clipboards are really cheap,
right? But they make me look official. Be careful. Don't allow access into the organization without you directly verifying their credentials.
And more than anything else, I would really stress to you report violations. Physical security is a huge, huge, huge concern.
Don't allow an attacker on the premises.
Now, be an advocate for physical security.
I cannot stress enough how important it is that we feel safe in the workplace and not just at our desk in the parking garage. Many of us work long hours and especially in the winter time, it gets dark early. If I don't feel safe going to the parking garage, I walk with a friend.
I'll ask the security guard to escort me.
They be an advocate suggest you do. Is there any way we could get motion detector lighting here, or is there anything that we could do? Could we maybe put a mirror in the stairwell? You know, I think what you'll find in a lot of instances, companies that Air Security minded are looking for suggestions.
They're open to suggestions. I'm not saying every places I've worked in the real world before as well,
but I never know unless I ask. I've gotta be in my own advocate from a physical security perspective. Another thing I will tell you. It's trust your instincts. Trust your gut, right? Be aware, be vigilant. And even if you're distracted, looking for your keys or doing this, that or the other,
your senses are paying attention,
and I don't know if you've just ever been in the situation where all of sudden the hair on the back of your neck stood up for all of a sudden, you just got this feeling and listen to that feeling, you know, look at your surroundings and see. Is there something that's triggering this years and years ago? I worked in college when I was in college for Domino's Pizza.
That is not on endorsement.
Neither an endorsement nor a condemnation. I just work there and I got robbed at gunpoint
and not saying that to be dramatic. It was just one of those things that happened. And when you're 20 it's not as big a deal is. It would be now, you know, 20 hours. It's like not that was interesting. But the thing was this when I went to deliver this pizza to a specific location apartment, when the guy came out from around the corner and he had a gun,
I swear to you the first thought from the mountain that my mind waas
I knew this was happening and it wasn't a control thought it wasn't a personal thought. It was just this recommendation of all these weird things that I had noticed that came together. And it was like,
You know, you've got to be aware, and I'll tell you, I'm not proud if I'm in the convenience store three o'clock in the morning and somebody comes in that I'm not comfortable with. I'm out of there. I'll move on to the next convenience store there, a 1,000,000 same thing in the work environment. If you go out to your car and there's somebody suspicious hanging around the garage leaf,
go get security called security Getting escort. I'll tell you, sometimes we feel silly asking for help in those cases. Do it.
You you know it will be something that you know.
It's not a big deal. It's really not that I think you'll find most security guards were happy to do that. Watch for suspicious activity. Look for people you don't know. Many of you have worked in your jobs year after year after year. You know the people you work with. So when somebody's not
someone you work with, not a familiar face, don't be afraid to ask a stranger for their badge. Don't be afraid if you see someone wandering around to say, Hey, can I help you?
I was at a quiet facility
and I had gotten into the building, but I clearly didn't know where I was going, and a young woman came up and she said, Where you going? And she walked me all the way to the facility, and I thought, how nice she is and then in the Kurdish, actually want me all the way to security. Thought why? She's really not. She went nice. She was following security policy.
She was saying, Here's somebody that clearly doesn't belong.
I'm gonna drop him off the security desk and I'm gonna go with her to make sure that it handles. It's handled properly. And I thought that was a great job from a security perspective. So, you know, I'm not gonna tell you anything. Earth shattering with security. Lock your doors. Clear your desk. Um, you know, lock up laptops.
Don't leave sensitive information out those things that we think of.
But the big things I want to communicate to you trust your gut. Trust your instincts. Don't be afraid to advocate for yourself. If you're feeling like something suspicious, don't be afraid to contact your security team. You can trust your senses if you make a call and it doesn't turn out to be anything. So what? You've wasted 30 seconds of your life.
Honestly, people are really what we consider to be the last layer of defense to protect our organization. We can have all the policies in place. We can have all the technical controls, but at some point in time, it really comes down to me and you are eyes and our ears. So that's our responsibility, certainly.